Although web applications operate in a virtual environment, some of them, including online auction or banking applications, involve real-world monetary transactions. Both web users and web sites have a vested interest in protecting these monetary transactions, which present attractive targets for manipulation by hackers.
Malicious exploitations of critical vulnerabilities of these security-critical web applications are continuously being devised, with cross-site scripting attacks and cross-site request forgery attacks being particularly favored by hackers. The vanguard of these attacks is a malicious link that has been tainted with scripting or forged input, which is presented to a legitimate user by way of an electronic communication. When the legitimate user innocently selects this malicious link, a script is enabled to execute in the security context of the user's browser and the target web site.
Although conventional client-side and server-side techniques exist to protect against cross-site attacks, these approaches are often deficient. For example, some of these typical approaches only address session theft attacks, which attack the integrity of the session.